SA-CORE-2013-003 ate my site! Now what?

When I updated Drupal to 7.24, the status report instructed me to twiddle my .htaccess files per security advisory SA-CORE-2013-003, so I did. And then my site unthemed itself. A quick trip to the error log revealed the problem, and even the solution: change FollowSymLinks to SymLinksIfOwnerMatch.

In short, my webhost does not permit the use of the FollowSymlinks option for security reasons, but they do permit the somewhat more secure SymLinksIfOwnerMatch directive. The log was full of stuff along the lines of ...public_html/files/.htaccess: Option FollowSymLinks not allowed here, referer: http://hyperlogos.org/admin/reports/status and the like. So I tried disabling FollowSymlinks and reloading, and I got Options FollowSymLinks or SymLinksIfOwnerMatch is off which implies that RewriteRule directive is forbidden which had the solution right in. Here's a quick piece of shell to fix this for all .htaccess files:

for i in `find . -type f -name .htaccess -exec grep -il FollowSymLinks '{}' \;`
do
  chmod u+w $i
  sed -ie 's/FollowSymLinks/SymLinksIfOwnerMatch/ig' $i
  chmod u-w $i
done

You could glue it all together with semicolons on a single line. My host write-protects the .htaccess files automagically, so the files need to be made writable before editing in-place by sed. I had to run this command from my home, because tmp is outside public_html as it should be. This also twiddled the .htaccess in the copy of drupal I have unpacked, but that's a feature and not a bug in case I forget about this the next time I have to go to the shell, which is approximately only when there's a new drupal core.

Add new comment

(If you're a human, don't change the following field)
Your first name.
(If you're a human, don't change the following field)
Your first name.
(If you're a human, don't change the following field)
Your first name.

Default

  • Use [fn]...[/fn] (or <fn>...</fn>) to insert automatically numbered footnotes.
  • You may link to images on this site using a special syntax
  • Web page addresses and e-mail addresses turn into links automatically.
  • To post pieces of code, surround them with <code>...</code> tags. For PHP code, you can use <?php ... ?>, which will also colour it based on syntax.
  • Internal paths in single or double quotes, written as "internal:node/99", for example, are replaced with the appropriate absolute URL or path. Paths to files in single or double quotes, written as "files:somefile.ext", for example, are replaced with the appropriate URL that can be used to download the file.
  • Filtered words will be replaced with the filtered version of the word.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote> <q>

Issue

  • Lines and paragraphs break automatically.
  • To post pieces of code, surround them with <code>...</code> tags. For PHP code, you can use <?php ... ?>, which will also colour it based on syntax.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>

Drinking Game

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <img> <p> <br> <pre> <h2> <h3> <h4>
  • Images may be embedded like: [image:node_id align=alignment hspace=n vspace=n border=n size=label width=n height=n nolink=(0|1) class=name style=style-data node=id] Leave off any attributes you don't want.
  • [img_assist|...] tags will be displayed, maybe. Please don't make more of them.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.